b"                              Office of the Inspector General\n\nJanuary 31, 2000\n\nWilliam A. Halter\nDeputy Commissioner\n of Social Security\n\nInspector General\n\nManagement Advisory Report \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Warning Banner\nImplementation (A-13-98-12041)\n\n\nAttached is a copy of the subject Management Advisory Report. The objectives of this\nreview were to determine the extent of the implementation of the Social Security\nAdministration's (SSA) warning banner on its local area networks and to determine\nwhether the banner language implemented was the same language drafted and approved\nby SSA and the Office of the Counsel to the Inspector General.\n\nYou may wish to comment on any further action taken or contemplated on our\nrecommendations. If you choose to comment, please provide your comments within\n60 days of the date of this memorandum. If you wish to discuss the final report, please call\nme or have your staff contact Steven L. Schaeffer, Acting Assistant Inspector General for\nAudit, at (410) 965-9700.\n\n\n\n\n                                          James G. Huse, Jr.\n\nAttachment\n\x0c          OFFICE OF\n\n   THE INSPECTOR GENERAL\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n\n     THE SOCIAL SECURITY\n      ADMINISTRATION\xe2\x80\x99S\n      WARNING BANNER\n       IMPLEMENTATION\n\n  January 2000   A-13-98-12041\n\n\n\n\n  MANAGEMENT\n\nADVISORY REPORT\n\n\x0c                                     Office of the Inspector General\n\nJanuary 31, 2000\n\nWilliam A. Halter\nDeputy Commissioner\n of Social Security\n\nInspector General\n\nManagement Advisory Report \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Warning Banner\nImplementation (A-13-98-12041)\n\n\nOBJECTIVE\n\nThe objectives of this review were to determine the extent of the implementation of Social\nSecurity Administration\xe2\x80\x99s (SSA) warning banner on its local area networks (LAN) and to\ndetermine whether the banner language implemented was the same language drafted and\napproved by SSA and the Office of the Counsel to the Inspector General (OCIG).\n\nBACKGROUND\n\nAs a user accesses (logs on) an SSA LAN, SSA\xe2\x80\x99s warning banner is accessed first and\nprocessing stops. The user must press the banner \xe2\x80\x9cOK\xe2\x80\x9d button to enter the SSA LAN\nlogon screen.1 This action is an acknowledgement of the banner and its contents.\n\nThe warning banner drafted and approved by SSA and OCIG is as follows.\n\n          This is a U.S. Government computer system subject to Federal law. The\n          Social Security Administration is an agency of the U.S. Federal Government.\n          SSA\xe2\x80\x99s network and all nodes attached are provided as a service to its\n          employees and authorized contractors. There is no expectation of user\n          privacy in the system including, but not limited to, electronic mail messages.\n          Unauthorized attempts to access, upload, or otherwise alter data,\n          programming language, or any other part of SSA\xe2\x80\x99s systems are strictly\n          prohibited and are subject to disciplinary and/or civil action or criminal\n          prosecution.           Anyone       using       this     system       expressly\n\n\n\n1\n    The screen where users enter their identification and password to gain entry into SSA\xe2\x80\x99s LAN.\n\x0cPage 2 \xe2\x80\x93 William A. Halter\n\n         consents to monitoring and is advised that if such monitoring reveals\n         possible evidence of criminal activity, SSA may provide the evidence of such\n         monitoring to law enforcement officials.\n\nSSA\xe2\x80\x99s warning banner is a security tool that deters fraud and abuse of SSA\xe2\x80\x99s systems\nbecause it informs an employee or hacker that unauthorized access to an SSA system can\nbe subject to disciplinary or civil action or criminal prosecution. The banner also serves as\na law enforcement tool because it makes it clear to employees that unauthorized use of\nSSA computers is prohibited.\n\nThe banner does not address every computer security-related issue. Instead, it works with\nother SSA policies, procedures, and security measures, including those concerning the\nuse of Government property and privacy in the workplace. For example, the SSA warning\nbanner does not state that its computers are to be used for official SSA activities.\nConversely, chapter 14, Microcomputer Security, of the SSA Systems Security Handbook\nemphasizes the official use of SSA computers in bold print.\n\nWe performed this review at the Office of the Inspector General\xe2\x80\x99s (OIG) Office of\nInvestigations\xe2\x80\x99 (OI) request after it identified a desktop computer that did not show SSA\xe2\x80\x99s\nwarning banner when the user accessed an SSA LAN. SSA\xe2\x80\x99s warning banner facilitates\nsearch and seizure efforts by informing employees that there is no expectation of user\nprivacy in SSA systems. The warning banner makes clear to all parties the rules governing\nthe use of SSA\xe2\x80\x99s automated information systems.\n\nAfter discussing the OI request with OCIG, we determined that this review should also\nfollow up on the OCIG\xe2\x80\x99s June 23, 1997, OIG Regulatory Commentary, Social Security\nAdministration Computer Warning Banner. The Commentary concluded that SSA should\ninstitute a computer warning banner that will serve as both a deterrent against unauthorized\ncomputer intrusions and a weapon in the Agency\xe2\x80\x99s efforts to combat employee fraud. In a\nJuly 30, 1997, memorandum, the Commissioner of SSA agreed that SSA should have an\nAgency-wide computer warning banner on each internal computer. The Commissioner\nstated that the warning banner would be added to the individual computers as they are\ntransferred to the SSA Windows New Technology (NT) environment2 within the next 12\nmonths (July 30, 1998).\n\nSSA and OCIG drafted and approved the warning banner language. Once the language\nwas approved, the Office of Telecommunications and Systems Operations (OTSO) began\nimplementing SSA\xe2\x80\x99s warning banner as the individual computers were transferred to the\nSSA Windows NT environment. In September 1998, OTSO informed us that the transfer of\nall computers and LANs to an SSA Windows NT environment was ongoing and was\nplanned for completion by September 30, 1999. SSA estimated that 2,825 LANs with\n\n2\n    The SSA Windows NT environment is a LAN maintained and controlled by OTSO.\n\x0cPage 3 \xe2\x80\x93 William A. Halter\n\n59,095 computers were operating on the SSA Windows NT environment, and at least 300\nLANs needed to be transferred. In September 1999, SSA informed us that it needed to\ntransfer 4,164 (5 percent) of its 77,430 devices3 to the Windows NT environment.\n\nSCOPE AND METHODOLOGY\n\nWe limited the scope of this review to the warning banner used with Agency LANs. We\nvisited 19 offices and observed whether the warning banner and acknowledgement were\ndisplayed as users accessed SSA LANs. Those offices included the Office of Hearings\nand Appeals (OHA) and offices located at SSA Headquarters and its regions. We\ninterviewed personnel within the Office of General Counsel, Office of Financial Policy and\nOperations (OFPO), Division of Systems Security (DSS), and the Office of Systems to\nascertain the number and types of SSA LANs and to verify whether the warning banner\nimplemented was the banner approved by SSA and OCIG. We performed this review from\nJuly through November 1998. In September 1999, we obtained the status of the banner\nimplementation.\n\nRESULTS OF REVIEW\n\nSSA made significant accomplishments with the implementation of its warning banner,\nwhich is displayed on the estimated 59,095 computers accessing 2,825 LANs. However,\nSSA did not complete the transfer of individual computers to the SSA Windows NT\nenvironment by July 30, 1998, as planned. SSA extended this date to September 30,\n1999. As a result, implementation of SSA\xe2\x80\x99s warning banner is incomplete for those\ncomputers connected to the remaining 300 LANs to be transferred. Also, the warning\nbanner language was not the approved language.\n\nImplementation of the Banner Needs to Be Completed\n\nSSA believed most of the 300 LANs lacking banners were located at SSA Headquarters\nand few remain in SSA\xe2\x80\x99s regions. SSA could not provide documentation to support the\naccuracy of the 300-LAN estimate or to show how many computers were connected to\nthose LANs. SSA also could not provide an implementation plan showing the resource\nallocation and timing for the transfer of the 300 LANs to the SSA Windows NT environment\nby September 30, 1999, a planned project delay from the July 30, 1998, completion. At the\ntime of our review, we believed the warning banner may not be fully implemented on all\nSSA LANs by the end of FY 1999 because the 300-LAN estimate may not be accurate,\nand there is a lack of planning documentation for the implementation of those LANs.\n\nWe judgmentally selected 19 offices throughout SSA to determine whether the warning\nbanner and acknowledgement were displayed as users accessed SSA LANs. We\n\n3\n    SSA defines devices as a mix of network components such as printers, computers, and LAN servers.\n\x0cPage 4 \xe2\x80\x93 William A. Halter\n\nconfirmed that computers connected to the SSA Windows NT environment displayed the\nbanner and its acknowledgement, and those computers not connected to the Windows NT\nenvironment did not display the banner and its acknowledgement. Specifically, we found\nthat the banner and its acknowledgement were displayed on 10 computers connected to\nthe SSA Windows NT environment. Likewise, we found that nine computers not connected\nto the SSA Windows NT environment did not display the banner and its acknowledgement\nand those computers access sensitive information such as disability information\nmaintained by OHA. One significant Headquarters office that did not display the banner on\nits computer was the OFPO, DSS. Appendix A lists the offices and their components\nwhose computers did not display the banner and its acknowledgement.\n\nPlanned project delays and potential unplanned delays resulted in the warning banner not\nbeing implemented timely. As a result, SSA did not take necessary steps to reduce fraud\nand abuse. We believe the warning banner implementation should no longer be\nassociated with the transfer of individual computers to the SSA Windows NT environment.\nRather, the warning banner should be implemented on all SSA LANs, regardless of the\nscheduled transfer to the SSA Windows NT environment.\n\nIn September 1999, SSA informed us that 73,266 of its 77,430 devices were transferred to\nthe SSA Windows NT environment. SSA could not provide the number of computers and\nLANs included in the 77,430 devices. Because the transfer to the Windows NT\nenvironment is ongoing, implementation of SSA\xe2\x80\x99s warning banner is incomplete for the\nnumber of computers and LANs within the 4,164 (77,430 less 73,266) remaining devices.\n\nOnly the Approved Warning Banner Language Should Be Used\n\nThe warning banner displayed on 59,095 computers accessing the SSA Windows NT\nenvironment did not agree with the banner drafted and approved by SSA and OCIG. The\nDepartment of Justice (DoJ) Computer Crime Unit also reviewed and approved the\nSSA/OCIG approved warning banner. The DoJ approval was critical to ensuring the\nbanner was acceptable for law enforcement purposes. After the approvals, SSA altered\nthe banner language, but it could not explain when or why the language was altered.\n\nText from the implemented warning banner was either omitted or changed. For example,\nSSA omitted the word \xe2\x80\x9caccess\xe2\x80\x9d as a type of activity that is prohibited. The word \xe2\x80\x9caccess\xe2\x80\x9d\nshould be included in the banner because SSA LANs can be accessed and sensitive\ninformation can be viewed without alteration. Also, the addition of the word \xe2\x80\x9caccess\xe2\x80\x9d on the\nbanner is needed for employee investigations because it makes it clear to employees that\nunauthorized use of SSA computers is prohibited. As a result of such omissions, we\nbelieve SSA\xe2\x80\x99s warning banner is less effective as a tool to deter fraud and abuse of SSA\nsystems. Also, the prosecution for unauthorized access could be impeded because an\nemployee can now deny knowledge of wrongdoing. Appendix B shows the warning banner\n\x0cPage 5 \xe2\x80\x93 William A. Halter\n\nlanguage used by SSA, and the SSA/OCIG approved banner language with the omitted or\nchanged language in bold print.\n\nIn the July 30, 1997, response to the OIG Commentary, the Commissioner of SSA stated\nthat the warning banner would be added to the individual computers within the next\n12 months. DSS staff did not confirm that the Office of Systems implemented the\nSSA/OCIG approved warning banner by July 30, 1998. The Systems Security Handbook\nstates that the SSA Systems Security Officer has overall responsibility for security policy,\nprocedures, and standards for SSA LANs and individual computers. It also states, \xe2\x80\x9cThe\nSSA Systems Security Officer is responsible for monitoring system security to ensure\nAgency compliance with established policy.\xe2\x80\x9d\n\nCONCLUSION AND RECOMMENDATIONS\n\nSSA implemented the warning banner as it transferred individual computers to the SSA\nWindows NT environment. However, that banner was not the SSA/OCIG approved banner.\nAlso, because LANs within the 4,164 devices need to be transferred to the SSA Windows\nNT environment, the warning banner implementation is incomplete. The DSS should have\nensured that the SSA/OCIG approved warning banner was fully implemented.\n\nWe recommend that SSA:\n\n1.\t Direct DSS to follow SSA\xe2\x80\x99s security policy and monitor the implementation of the\n    approved warning banner to ensure its completion in a timely manner;\n\n2.\t Direct DSS to follow SSA\xe2\x80\x99s security policy and monitor the continued Agency-wide use\n    of the warning banner as a security objective; and\n\n3.\t Implement the SSA/OCIG approved warning banner by the end of Calendar Year 1999\n    on all SSA LANs to deter fraud and abuse of computers accessing SSA LANs and\n    assist with any investigations involving those computers.\n\x0cPage 6 \xe2\x80\x93 William A. Halter\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nSSA agreed with our recommendations. It stated that the Office of Systems Security\n(formerly Division of Systems Security) is monitoring the implementation of the approved\nbanner to be completed with the transfer of devices to the SSA Windows NT environment\nby the end of spring 2000. SSA LANs have been updated with the approved language.\nWe believe that SSA\xe2\x80\x99s proactive actions in response to this report demonstrate its\ncommitment to an aggressive systems security program.\n\n\n\n\n                                                James G. Huse, Jr.\n\x0cAPPENDICES\n\n\x0c                                                                          APPENDIX A\n\n      Social Security Administration Offices\n       Not Observing and Acknowledging\n                Warning Banner\n\nComputers in nine offices from eight Social Security Administration (SSA) components did\nnot display SSA\xe2\x80\x99s warning banner and its acknowledgement. Eight of the offices were\nlocated at SSA Headquarters. SSA is taking an unnecessary risk of fraud and abuse for\nthose computers and any others not displaying a warning banner with an\nacknowledgement.\n\n      Deputy                                                                   SSA\n   Commissioner                              Office                          Location\n Communications           Office of Public Inquiries, Policy Procedures    Headquarters\n                          and Operations Support Group\n\n Disability and Income    Office of Hearings and Appeals                   Falls Church\n Security Programs                                                         Office\n\n Finance, Assessment      Office of Financial Policy and Operations,       Headquarters\n and Management           Division of Systems Security\n                          Office of Quality Assurance and Performance\n                          Assessment, Division of Data Management\n\n Human Resources          Office of Labor Management and Employee          Headquarters\n                          Relations, Policy Integration Team\n\n Legislation and          Supplemental Security Income Program Staff       Headquarters\n Congressional Affairs\n\n Operations               Office of Telephone Services, Service Team       Headquarters\n\n Policy                   Office of Research, Evaluation and Statistics    Headquarters\n\n Systems                  Office of Systems Design and Development,        Headquarters\n                          Division of Data Systems\n\x0c                                                                             APPENDIX B\n\n\n                            Banner Language\n\n\nThe banner language used by the Social Security Administration (SSA) and the banner\napproved by SSA and the Office of the Counsel to the Inspector General (OCIG) are shown\nbelow. The omitted or changed text is shown in bold print on the SSA/OCIG approved\nbanner.\n\nBanner Being Used by SSA\n\nThe Social Security Administration is an agency of the U.S. Federal Government. SSA\xe2\x80\x99s\nnetwork and all nodes attached are provided as a service to the employees and authorized\ncontractors. There is no expectation of user privacy in this system including, but not limited\nto, electronic messages. Unauthorized attempts to upload or otherwise alter data,\nprogramming language, or any other part of SSA\xe2\x80\x99s system are strictly prohibited and are\nsubject to disciplinary and/or civil action or criminal prosecution. Anyone using this system\nexpressly consents to monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity, SSA may provide that evidence to law enforcement officials.\n\nBanner Approved by SSA and the OCIG\n\nThis is a U.S. Government computer system subject to Federal law. The\nSocial Security Administration is an agency of the U.S. Federal Government.\nSSA\xe2\x80\x99s network and all nodes attached are provided as a service to its employees\nand authorized contractors. There is no expectation of user privacy in the system\nincluding, but not limited to, electronic mail messages. Unauthorized attempts to\naccess, upload, or otherwise alter data, programming language, or any other part\nof SSA\xe2\x80\x99s systems are strictly prohibited and are subject to disciplinary and/or civil\naction or criminal prosecution. Anyone using this system expressly consents to\nmonitoring and is advised that if such monitoring reveals possible evidence of\ncriminal activity, SSA may provide the evidence of such monitoring to law\nenforcement officials.\n\x0c                   APPENDIX C\n\n\nAGENCY COMMENTS\n\n\x0cCOMMENTS ON THE OFFICE OF INSPECTOR GENERAL (OIG) DRAFT\nMANAGEMENT ADVISORY REPORT, \xe2\x80\x9cTHE SOCIAL SECURITY\nADMINISTRATION\xe2\x80\x99S WARNING BANNER IMPLEMENTATION\xe2\x80\x9d\n(A-13-98-12041)\n\n\nThank you for the opportunity to review this draft report. We\nagree that use of an effective warning banner of the kind\nhighlighted in this OIG report is an important component of\nour aggressive systems security program.\n\n\nOIG Recommendations\n\nDirect the Division of Systems Security (DSS) to follow the\nSocial Security Administration\xe2\x80\x99s (SSA) security policy and\nmonitor the implementation of the approved warning banner to\nensure its completion in a timely manner.\n\nDirect DSS to follow SSA\xe2\x80\x99s security policy and monitor the\ncontinued Agency-wide use of the warning banner as a security\nobjective.\n\n\nComment\n\nWe agree. The Office of Systems Security (formerly named DSS)\nis monitoring the implementation of the approved banner now\nunderway (see comment on following recommendation) and will\ncontinue to do so to help ensure the security of SSA data.\n\n\nOIG Recommendation\n\nImplement the SSA/Office of the Counsel to the Inspector\nGeneral approved warning banner by the end of Calendar Year\n1999 on all SSA local area networks (LAN) to deter fraud and\nabuse of computers accessing SSA LANs and assist with any\ninvestigations involving those computers.\n\n\nComment\n\nWe agree in the importance of timely implementation of the\napproved warning banner, and actions have been taken and are\nunderway in this regard. The banners on all SSA LAN domain\nmember servers have already been updated. As the\n\n\n\n                              C-2\n\x0c                                                             2\n\n\n\nremaining legacy LANs and workstations are replaced with\ndevices that conform to the present SSA LAN infrastructure,\nthe users will receive the approved warning banner. We expect\nthese remaining devices to be replaced by the end of Spring\n2000. Should access concerns arise concerning those computers\nin the future, we agree to assist in investigations as needed.\n\n\n\n\n                              C-3\n\x0c                                                                     APPENDIX D\n\n\n       MAJOR REPORT CONTRIBUTORS\n\n\nOffice of the Inspector General\n\nGale Stone, Director, Systems Audits\n\nAlbert Darago, Audit Manager, Applications Controls\n\nWesley Lewis, Auditor\n\nKimberly Beauchamp, Writer-Editor, Technical Services\n\n\n\nFor additional copies of this report, please contact Office of the Inspector General\xe2\x80\x99s\n\nPublic Affairs Specialist at (410) 966-5998. Refer to Common Identification Number A-\n\n13-98-12041.\n\n\x0c                       APPENDIX E\n\n\nSSA ORGANIZATIONAL CHART\n\n\x0c"